Who needs the ACLs and static NAT?
I came apon a job whose network layout is kind of tricky. Here is the skinny:
2 routers (both 1721s). One is SBCs and it plugs into the internet on WIC interface. Nic interface plugs into a PIX 506E Firewall. The firewall does the PAT. The other eth port on the firewall plugs into the switch. The other router's WIC card plugs into the franchise intranet, and the NIC plugs into the switch.
All the PCs, servers, etc have the default gateway set to the ethernet interface of the franchise 1721. That router looks at the destination address and decides if it needs to go out it's WIC (if the dest. address is on the corporate intranet's subnet) or if it needs to go out to the internet (through the firewall and out the other router).
Now heres what I am trying to accomplish:
The customer wants to be able to telnet into one machine in the private network from her house.
Obviously, I need an ACL on the SBC router because thats where the request is comming from. I also have set up static NAT on the router from a public IP (in our valid range that SBC provides) and the private IP of the machine that she wants to access.
Currently, it is not working. I thought it had something to do with the other router so I started contacting the network engineers at the franchise office to get them to open up their router to allow telnet.
I now think however, that the reason it is not working is I have the static NAT on the wrong device!!
Shouldn't it be on the firewall, because the SBC router doesn't know anything about those private addresses (the PAT happens on the firewall).
Is my hunch right? Can you please advise me on what devices will needs changes in their ACLs and which device(s) will need static NAT mapping? I don't want to open any thing I don't have to. Thanks!!
I just came from the clients office. I am a little lost here. I am quite nifty at the CLI of a router or a switch, but every other firewall I have dealt with (Sonicwall, Watchgaurd, etc) has had a web based GUI. I am new in the field and have never configured a PIX before.
Here's what I have right now:
SBC router is configured to allow Telnet traffic in.
The PIX 506E has PAT configured on it. I tried setting up static NAT with no luck on the firewall. Attached is my running config. Perhaps you could instruct me on a some commands I can throw at this box to make this whole mess work!!
Let 207.184.18.10 be the address of the internal machine we want to access and SERVER.PUBLIC.IP be the public address we should point our telnet client to get in.
Similar Messages
-
I have a MacBook Pro, 15-inch, Mid 2009. I would love to upgrade to a Solid State Drive. What is the best possible upgrade I can buy. I need the specs and even brand name. Thank you to anyone who can help.
A 15" mid-2009 MBP RAM specifications are: 204-pin PC3-8500 (1066 MHz) DDR3 SO-DIMM.
As has been pointed out, OWC is an excellent source for Mac compatible RAM. Crucial is another first rate source for Mac RAM. RAM from either vendor will work just as well as any purchased from Apple with the bonus of being less expensive and having a lifetime guarantee.
Ciao. -
MS NLB with ASA and Static NAT from PUP to NLB IP
Hi all,
I am trying to get MS NLB up and running. It is almost all working. Below is my physical setup.
ASA 5510 > Cat 3750X >2x ESXi 5.1 Hosts > vSwitch > Windows 2012 NLB Guest VMs.
I have two VMs runing on two different ESXi hosts. They have two vNICs. One for managment and one for inside puplic subnet. The inside puplic subnet NICs are in the NLB cluster. The inside public subnet is NATed on the ASA to a outide public IP.
192.168.0.50 is the 1st VM
192.168.0.51 is the 2nd VM
192.168.0.52 is the cluster IP for heartbeat
192.168.0.53 is the cluster IP for NLB traffic.
0100.5e7f.0035 is the cluster MAC.
The NLB cluster is using MULTICAST
I have read the doumentation for both the ASA and CAT switch for adding a static ARP using the NLB IP and NLB MAC.
For the ASA I found
http://www.cisco.com/en/US/docs/security/asa/asa84/asdm64/configuration_guide/mode_fw.html#wp1226249
ASDM
Configuration > Device Management > Advanced > ARP > ARP Static Table
I was able to add my stic ARP just fine.
However, the next step was to enable ARP inspection.
Configuration > Device Management > Advanced > ARP > ARP Inspection
My ASDM does not list ARP Inspection, only has the ARP Static Table area. Not sure about this.
For the CAT Switch I found
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080a07203.shtml
I added the both the ARP and Static MAC. For the static MAC I used the VLAN ID of the inside public subnet and the interfaces connected to both ESXi hosts.
On the ASA I added a static NAT for my outside Public IP to my inside pupblic NLB IP and vise versa. I then added a DNS entry for our domain to point to the outside public IP. I also added it to the public servers section allowing all IP traffic testing puproses.
At any rate the MS NLB is working ok. I can ping both the Public IP and the Inside NLB IP just fine from the outside. (I can ping the inside NLB IP becuase I'm on a VPN with access to my inside subnets) The problem is when I go to access a webpade from my NLB servers using the DNS or the Public IP I get a "This Page Can't Be Displyed" messgae. Now while on the VPN if I use the same URL but insied use the NLB IP and not the Public IP it works fine.
So I think there is soemthing wrong with the NATing of the Public to NLB IP even tho I can ping it fine. Below is my ASA Config. I have bolded the parts of Interest.
Result of the command: "show run"
: Saved
ASA Version 8.4(4)9
hostname MP-ASA-1
enable password ac3wyUYtitklff6l encrypted
passwd ac3wyUYtitklff6l encrypted
names
dns-guard
interface Ethernet0/0
nameif outside
security-level 0
ip address 198.XX.XX.82 255.255.255.240
interface Ethernet0/1
description Root Inside Interface No Vlan
speed 1000
duplex full
nameif Port-1-GI-Inside-Native
security-level 100
ip address 10.1.1.1 255.255.255.0
interface Ethernet0/1.2
description Managment LAN 1 for Inside Networks
vlan 2
nameif MGMT-1
security-level 100
ip address 192.168.180.1 255.255.255.0
interface Ethernet0/1.3
description Managment LAN 2 for Inside Networks
vlan 3
nameif MGMT-2
security-level 100
ip address 192.168.181.1 255.255.255.0
interface Ethernet0/1.100
description Development Pubilc Network 1
vlan 100
nameif DEV-PUB-1
security-level 50
ip address 192.168.0.1 255.255.255.0
interface Ethernet0/1.101
description Development Pubilc Network 2
vlan 101
nameif DEV-PUB-2
security-level 50
ip address 192.168.2.1 255.255.255.0
interface Ethernet0/1.102
description Suncor Pubilc Network 1
vlan 102
nameif SUNCOR-PUB-1
security-level 49
ip address 192.168.3.1 255.255.255.0
interface Ethernet0/1.103
description Suncor Pubilc Network 2
vlan 103
nameif SUNCOR-PUB-2
security-level 49
ip address 192.168.4.1 255.255.255.0
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
ip address 192.168.1.1 255.255.255.0
management-only
boot system disk0:/asa844-9-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
object network Inside-Native-Network-PNAT
subnet 10.1.1.0 255.255.255.0
description Root Inisde Native Interface Network with PNAT
object network ASA-Outside-IP
host 198.XX.XX.82
description The primary IP of the ASA
object network Inside-Native-Network
subnet 10.1.1.0 255.255.255.0
description Root Inisde Native Interface Network
object network VPN-POOL-PNAT
subnet 192.168.100.0 255.255.255.0
description VPN Pool NAT for Inside
object network DEV-PUP-1-Network
subnet 192.168.0.0 255.255.255.0
description DEV-PUP-1 Network
object network DEV-PUP-2-Network
subnet 192.168.2.0 255.255.255.0
description DEV-PUP-2 Network
object network MGMT-1-Network
subnet 192.168.180.0 255.255.255.0
description MGMT-1 Network
object network MGMT-2-Network
subnet 192.168.181.0 255.255.255.0
description MGMT-2 Network
object network SUNCOR-PUP-1-Network
subnet 192.168.3.0 255.255.255.0
description SUNCOR-PUP-1 Network
object network SUNCOR-PUP-2-Network
subnet 192.168.4.0 255.255.255.0
description SUNCOR-PUP-2 Network
object network DEV-PUB-1-Network-PNAT
subnet 192.168.0.0 255.255.255.0
description DEV-PUB-1-Network with PNAT
object network DEV-PUB-2-Network-PNAT
subnet 192.168.2.0 255.255.255.0
description DEV-PUB-2-Network with PNAT
object network MGMT-1-Network-PNAT
subnet 192.168.180.0 255.255.255.0
description MGMT-1-Network with PNAT
object network MGMT-2-Network-PNAT
subnet 192.168.181.0 255.255.255.0
description MGMT-2-Network with PNAT
object network SUNCOR-PUB-1-Network-PNAT
subnet 192.168.3.0 255.255.255.0
description SUNCOR-PUB-1-Network with PNAT
object network SUNCOR-PUB-2-Network-PNAT
subnet 192.168.4.0 255.255.255.0
description SUNCOR-PUB-2-Network with PNAT
object network DEV-APP-1-PUB
host 198.XX.XX.XX
description DEV-APP-2 Public Server IP
object network DEV-APP-2-SNAT
host 192.168.2.120
description DEV-APP-2 Server with SNAT
object network DEV-APP-2-PUB
host 198.XX.XX.XX
description DEV-APP-2 Public Server IP
object network DEV-SQL-1
host 192.168.0.110
description DEV-SQL-1 Inside Server IP
object network DEV-SQL-2
host 192.168.2.110
description DEV-SQL-2 Inside Server IP
object network SUCNOR-APP-1-PUB
host 198.XX.XX.XX
description SUNCOR-APP-1 Public Server IP
object network SUNCOR-APP-2-SNAT
host 192.168.4.120
description SUNCOR-APP-2 Server with SNAT
object network SUNCOR-APP-2-PUB
host 198.XX.XX.XX
description DEV-APP-2 Public Server IP
object network SUNCOR-SQL-1
host 192.168.3.110
description SUNCOR-SQL-1 Inside Server IP
object network SUNCOR-SQL-2
host 192.168.4.110
description SUNCOR-SQL-2 Inside Server IP
object network DEV-APP-1-SNAT
host 192.168.0.120
description DEV-APP-1 Network with SNAT
object network SUNCOR-APP-1-SNAT
host 192.168.3.120
description SUNCOR-APP-1 Network with SNAT
object network PDX-LAN
subnet 192.168.1.0 255.255.255.0
description PDX-LAN for S2S VPN
object network PDX-Sonicwall
host XX.XX.XX.XX
object network LOGI-NLB--SNAT
host 192.168.0.53
description Logi NLB with SNAT
object network LOGI-PUP-IP
host 198.XX.XX.87
description Public IP of LOGI server for NLB
object network LOGI-NLB-IP
host 192.168.0.53
description LOGI NLB IP
object network LOGI-PUP-SNAT-NLB
host 198.XX.XX.87
description LOGI Pup with SNAT to NLB
object-group network vpn-inside
description All inside accessible networks
object-group network VPN-Inside-Networks
description All Inside Nets for Remote VPN Access
network-object object Inside-Native-Network
network-object object DEV-PUP-1-Network
network-object object DEV-PUP-2-Network
network-object object MGMT-1-Network
network-object object MGMT-2-Network
network-object object SUNCOR-PUP-1-Network
network-object object SUNCOR-PUP-2-Network
access-list acl-vpnclinet extended permit ip object-group VPN-Inside-Networks any
access-list outside_access_out remark Block ping to out networks
access-list outside_access_out extended deny icmp any any inactive
access-list outside_access_out remark Allow all traffic from inside to outside networks
access-list outside_access_out extended permit ip any any
access-list outside_access extended permit ip any object LOGI-NLB--SNAT
access-list outside_access extended permit ip any object SUNCOR-APP-2-SNAT
access-list outside_access extended permit ip any object SUNCOR-APP-1-SNAT
access-list outside_access extended permit ip any object DEV-APP-2-SNAT
access-list outside_access extended permit ip any object DEV-APP-1-SNAT
access-list outside_cryptomap extended permit ip object-group VPN-Inside-Networks object PDX-LAN
pager lines 24
logging asdm informational
mtu outside 1500
mtu Port-1-GI-Inside-Native 1500
mtu MGMT-1 1500
mtu MGMT-2 1500
mtu DEV-PUB-1 1500
mtu DEV-PUB-2 1500
mtu SUNCOR-PUB-1 1500
mtu SUNCOR-PUB-2 1500
mtu management 1500
ip local pool Remote-VPN-Pool 192.168.100.1-192.168.100.20 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
icmp permit any outside
icmp permit any Port-1-GI-Inside-Native
icmp permit any MGMT-1
icmp permit any MGMT-2
icmp permit any DEV-PUB-1
icmp permit any DEV-PUB-2
icmp permit any SUNCOR-PUB-1
icmp permit any SUNCOR-PUB-2
asdm image disk0:/asdm-649-103.bin
no asdm history enable
arp DEV-PUB-1 192.168.0.53 0100.5e7f.0035 alias
arp timeout 14400
no arp permit-nonconnected
nat (Port-1-GI-Inside-Native,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (DEV-PUB-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (DEV-PUB-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (MGMT-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (MGMT-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (SUNCOR-PUB-1,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (SUNCOR-PUB-2,outside) source static any any destination static VPN-POOL-PNAT VPN-POOL-PNAT
nat (DEV-PUB-1,outside) source static DEV-PUP-1-Network DEV-PUP-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (DEV-PUB-2,outside) source static DEV-PUP-2-Network DEV-PUP-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (MGMT-1,outside) source static MGMT-1-Network MGMT-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (MGMT-2,outside) source static MGMT-2-Network MGMT-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (Port-1-GI-Inside-Native,outside) source static Inside-Native-Network Inside-Native-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (SUNCOR-PUB-1,outside) source static SUNCOR-PUP-1-Network SUNCOR-PUP-1-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
nat (SUNCOR-PUB-2,outside) source static SUNCOR-PUP-2-Network SUNCOR-PUP-2-Network destination static PDX-LAN PDX-LAN no-proxy-arp route-lookup
object network Inside-Native-Network-PNAT
nat (Port-1-GI-Inside-Native,outside) dynamic interface
object network VPN-POOL-PNAT
nat (Port-1-GI-Inside-Native,outside) dynamic interface
object network DEV-PUB-1-Network-PNAT
nat (DEV-PUB-1,outside) dynamic interface
object network DEV-PUB-2-Network-PNAT
nat (DEV-PUB-2,outside) dynamic interface
object network MGMT-1-Network-PNAT
nat (MGMT-1,outside) dynamic interface
object network MGMT-2-Network-PNAT
nat (MGMT-2,outside) dynamic interface
object network SUNCOR-PUB-1-Network-PNAT
nat (SUNCOR-PUB-1,outside) dynamic interface
object network SUNCOR-PUB-2-Network-PNAT
nat (SUNCOR-PUB-2,outside) dynamic interface
object network DEV-APP-2-SNAT
nat (DEV-PUB-2,outside) static DEV-APP-2-PUB
object network SUNCOR-APP-2-SNAT
nat (SUNCOR-PUB-2,outside) static SUNCOR-APP-2-PUB
object network DEV-APP-1-SNAT
nat (DEV-PUB-1,outside) static DEV-APP-1-PUB
object network SUNCOR-APP-1-SNAT
nat (SUNCOR-PUB-1,outside) static SUCNOR-APP-1-PUB
object network LOGI-NLB--SNAT
nat (DEV-PUB-1,outside) static LOGI-PUP-IP
object network LOGI-PUP-SNAT-NLB
nat (outside,DEV-PUB-1) static LOGI-NLB-IP
access-group outside_access in interface outside
access-group outside_access_out out interface outside
route outside 0.0.0.0 0.0.0.0 198.145.120.81 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
user-identity default-domain LOCAL
http server enable
http 192.168.1.0 255.255.255.0 management
http 192.168.1.0 255.255.255.0 outside
http 10.1.1.0 255.255.255.0 Port-1-GI-Inside-Native
http 192.168.180.0 255.255.255.0 MGMT-1
http 192.168.100.0 255.255.255.0 Port-1-GI-Inside-Native
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect icmp error
service-policy global_policy global
prompt hostname context
call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email [email protected]
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:d6f9f8e2113dc03cede9f2454dba029b
: end
Any help would be great! I think the issue is in teh NAT as I am able to access NLB IP from the outside and could not do that before adding the Static ARP stuff.
Thanks,
ChrisAlso If I change to NAT from the public IP to the NLB IP to use either one of the phsyical IPs of the NLB cluster (192.168.0.50 or 51) it works fine when using the public IP. So it's definatly an issue when NATing the VIP of NLB cluster.
Chris -
Dynamic PAT and Static NAT issue ASA 5515
Hi All,
Recently we migrated our network to ASA 5515, since we had configured nat pool overload on our existing router the users are able to translated their ip's outside. Right now my issue was when I use the existing NAT configured to our router into firewall, it seems that the translation was not successful actually I used Dynamic NAT. When I use the Dynamic PAT(Hide) all users are able to translated to the said public IP's. I know that PAT is Port address translation but when I use static nat for specific server. The Static NAT was not able to translated. Can anyone explain if there's any conflict whit PAT to Static NAT? I appriciate their response. Thanks!
- BhalHi,
I would have to guess that you Dynamic PAT was perhaps configured as a Section 1 rule and Static NAT configured as Section 2 rule which would mean that the Dynamic PAT rule would always override the Static NAT for the said host.
The very basic configured for Static NAT and Default PAT I would do in the following way
object network STATIC
host
nat (inside,outside) static dns
object-group network DEFAULT-PAT-SOURCE
network-object
nat (inside,outside) after-auto source dynamic DEFAULT-PAT-SOURCE interface
The Static NAT would be configured as Network Object NAT (Section 2) and the Default PAT would be configured with Twice NAT / Manual NAT (after-auto specifies it as Section 3 rule)
This might sound confusing. Though it would be easier to say what the problem is if we saw the actual NAT configuration. Though I gave the reason that I think is probably one of the most likely reasons if there is some conflict with the 2 NAT rules
You can also check out a NAT document I made regarding the new NAT configuration format and its operation.
https://supportforums.cisco.com/docs/DOC-31116
Hope this helps
- Jouni -
I just got my MIDI to USB cable, fired up Garageband. I clicked the basic lessons, tried Play. But the lesson guy is playing. I'm the one who needs the practice, not him. Please help. I don't know what I'm doing.
G35Guy:
Well, if that's the case, you must have a different finish on yours than I have on mine. Either that or you are extrordinarily careful when using it. Mine literally scratches when using a microfibre cloth. I would really like to know whether yours is somehow different. It would really piss me of if some people got a good quality exterior that doesn't scratch and some of us got the opposite. Did you try holding your player under a light to see if there is anything. You may just be looking at it in bad lighting. I find it hard to believe, unless your unit has a different type of plastic cover, that it hasn't received any type of scratches. Can you take a picture of it's It probably seems as though I don't believe you. That's not the case. Its just that I was so careful not to scratch it last night and it got scratched anyway. I have read of similar experiences by others who have the Vision:M as well.
I wish I could return mine and get a different color, it really upsets me that a $300 item that is meant to be hand held and used heavily scratches this easily!! If anyone from creative is reading this, I would like to know what you plan to do about it! I didn't pay all of that money to have this player look like Sh*t when I am only using it the way it was intended and am being very careful at that!
John -
HT201272 wait just to be sure i am not the only one who has the "term and conditions" problem
wait just to be sure i am not the only one who has the "term and conditions" problem
Go to Crucial.com and use one of their two methods to determine what upgrades are available for your Mac:
I would purchase the modules from Crucial as they are very reliable and wiill work with you if you have problems.
OT -
Hi I bought an iPhone from my friend who forgot the username and password, and now my iPhone Aktyvyshn code and that it wants to register Forgot your password to her email, please guide me
You can NOT do so. Only the owner of the account used to lock the phone can remove it. Instructions for how to do so can be found within or linked from within the document I already linked to.
Activation lock is an anti-theft feature designed to make the device useless to anyone other than the rightful owner.
If your friend refuses to give your money back and can not or will not remove the activation lock, there is a fair possibility that the phone was not theirs to sell in the first place. -
X61s Type 7669 - URGENTLY need the Rescue and Recovery CD (1/1)
Can someone please help, I need the Rescue and Recovery CD (1/1) as I have all the other Recovery CDs but I can't find the one I really need.
Is anyone able to create an image (.iso) file that I can download?
PLEEEEAASE HELP!ukdealguide,
You're asking someone to make an illegal copy of a Microsoft/Lenovo CD. That's also against forum rules.
Call Lenovo for a new Rescue and Recovery CD set.
Thread locked.
Message Edited by bananaman on 05-18-2009 06:43 AM
I don't work for Lenovo. I'm a crazy volunteer! -
Need the complete and correct way to reset Safari 5.1
Need the complete and correct way to reset Safari 5.1 the reason being is that 1. Even with the fix for .pdf's opening in Sarfai, they still don't and I have local copy of a html file that I use to access my most frequent sites and it refuses to open when Safari loads.
I need to know what to save so that I can reinstall it after the reset. I don't want to lose my cookies and passwords that I have saved.Well I went back to one of my old discussions from a few months ago and found the right way to reset Safari but also dicovered that the file that my other older Mac had the same problem with, were I could'nt load a .pdf file into Safari as well as play video files, like the one that Apple posted of the Stve Job's tribute yesterday.QuickTime would'nt load so this morning got my act together and took each file that I thought might be corrupt out till I found the one that was, having to restart Safari and shut it down.
the file in the
Home/Library/Preferences>com.apple.Safari.plist was the culprit. I am now trying to find a way to see how one can tell if this file is corrupt before backing it up, since "plists" are not a file to mess with.
I hate resetting Safari since it destroys a bunch of files that one builds up over a long period of time, and hate to destroy all that work just because of one file. Hopefully if someone reads this they can find a way of having Safari back it up on a on going basis but making sure it is'nt corrupt in the process. -
How to fiter packet in router exept the acl and firewall?
Subject is intact.
I found something interesting while trying to perform a process.
To be filtered by the ICMP protocol, where the ACL and Firewall, was that you should not use it.
But no matter how these ideas to Google, there was no answer to this.
Please share reference about this or more keywords, and your knowledge.you are not clear on what you are trying to do..
You want to block all icmp without using access-lists?
I think an intrusion prevention system is a very expensive solution for this..
technically any device that can drop traffic is a firewall. So I don't see much other option for you. You could use a linux box running ip tables to do the same thing however that is still a firewall.. -
Command to see host and static nat for the same object together
I have researched this but cannot find an answer. ASA running version 8.5.
When you create the config using object NAT you enter the commands as follows
object network <object name>
host x.x.x.x
nat (inside,outside) static y.y.y.y
When the config is displayed it separates the host and nat commands in two different sections of the config as follows
object network <object name>
host x.x.x.x
object network <object name>
nat (inside,outside) static y.y.y.y
Is there a command that will display it all together (like it was typed in)? Show NAT is something like what I am after but without all of the extra info such as translate_hits, untranslate_hits etc. I need this information but cleaning up the output of a show nat is going to be tough.
Any suggestions?
Thanks.Sorry, show nat detail is what I meant in the original post in place of show nat. Show nat detail still has all of the extra info I was trying to avoid. Guess I will be editing a text file.
Thanks for the reply. -
Who needs the JavaFX runtime redistributable? Please "Stand up and shout!"
With the 1.2 release JavaFX gains more momentum and more attractivity. Also for the "classic" desktop application sector. It has the ability to give Java apps all the eye candy and smoothness in operation that many end-users pretend/believe "Java does not have".
My only problem (as a developer and ISV!) is: I cannot build and sell applications for my customers with JavaFX!
... at least not in the way most of my customers would prefer:
- get the software as one single package,
- put it in/on the PC
- and USE it. Period.
There are many (very many!!!) customers (end-users!) who easily get very confused by:
- having to install "something called JRE"(1) on their box
- having to go to a certain website to get that JRE from
- or, beeing confronted with the web start screens and security warnings.
So, I would say, for an ISV distribution as a single package that starts "out of the box" is maybe even more important than the rather "advanced" or "sophisticated" webstart. Actually, for many customers who do not have a technical background, beeing confronted with the mentioned technical details quickly becomes a real show-stopper. Sorry, but that's the way many people work and think.
That's not good for me. That's not good for all the other ISVs. And that's not good for Java and Sun, either, I think.
And, as an entrepreneur, I would not like falling into what in German would be called "betting on the wrong horse".
But, if I understand the license correctly, that is exactly what I cannot do: Bundle my applications with a JRE & JavaFX runtime, just as I would be allowed to do with the JRE only. So there is no way of an one-package offline distribution and installation. And thus no way to reach a significant amount of users - and customers!
So, my questions in short are:
1) Is there someone at the forum, who shares my problems or fears?
2) Is there someone from Sun at the forum who could tell me something about what to do with JavaFX in that case? Is there something I have forgotten, or is there simply no way. Or are there future plannings on changing the license in a less restrictive way? If so: what is the schedule and what could the changes look like.
Best regards,
Robert
(1) Please don't get my irony wrong - I just frequently meet end-users who do not know much or even anything about Java or an JRE - sad but true ...
Edited by: aeonium on Jul 30, 2009 2:41 PM
Edited by: aeonium on Jul 30, 2009 2:49 PM
Edited by: aeonium on Jul 30, 2009 2:54 PMAbout 1): Yes, there are several questions about licensing and being able to distribute JavaFX applications offline, on computers not connected to Internet, among other requirements.
I would say your requirement are reasonable. I make for my work an install program deploying a JRE along a complete Java application, and for the user, he runs the application like any Windows application, no need to know it is Java based. That's nice and user friendly. -
Hello
I had pix+CSM on 6500. I've changed it to new ACE module on 6500.
I've made loadbalancing which was done on CSM. Now i wanted to connect dmz which was connected to pix and make static DNAT.
I used configuration guide/examples from: http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.00_A1/configuration/security/guide/nat.html
I need to make static DNAT, but i can't figure how it works. There are many errors in this document including incorrect (old?) syntax (for example: nat static 192.0.0.0 255.0.0.0 80 vlan 101)
I analyzed three examples at the and of this document. My questions:
1. how do i choose if it's source or destination NAT ?
2. do i always apply service-policy to vlan interface which receives packets which should be natted ?
3. What is class-map(it's ACL) choosing ? Incoming traffic which destination address should be changed ?
4. is in command: "nat static A netmask netmaskA vlan B" A is outside ip address before translation to inside address ?
5. Could anybody give me a simple example of static DNAT ? (or any links?)
ThanxDestination nat is equivalent to loadbalancing to one server.
I would therefore configure a vip being the inbound destination address, and a rserver which would be the outbound nated destination ip address.
Then create a policy-map to link the 2 together and apply the policy-map to the incoming vlan, or you can apply it globally.
For the reverse connections, where you then need to nat the source ip back to the 'VIP' you use the static nat config that you have found in the document.
By the way, I don't see anything wrong with it.
Those commands are in A1 and also the new A2 release.
ACE is really a loadbalancer with some firewall features and not the opposite.
This is why pure nating functions are not straightfoward to configure.
Gilles. -
Using both Dynamic and Static NAT with two Different Internet facing Subnets
We have two Class C Public Address subnets. We started with Subnet (A) and have many of our Internet accessible devices on it. It is running on a Cisco PIX 515R. We bought a new ASA 5510 8.3(2) and started Migrating the Users and new servers to it so I started with our second Class C Subnet (B). Later on down the road I found out that if the Firewalls Default Gateway is is set to a (B) Interface subnet, then the servers that are statically mapped to a (A) Address will have a (B) address when they communicate out to the internet. So they are receiving packets on their (A) Address, though replying to them with a (B) address.
It was mentioned that I should be able to combine static and dynamic NAT mapping to allow devices behind the firewall to have a fixed external Address when communicating outbound as well as inbound.
So For instance I want the Following: when the Internal Replies I want the reply to come from the mapped IP, not a IP from the Dynamic Pool.
Public IP: 192.168.1.100/24
Internal IP: 10.0.0.100/16
Public IP: 192.168.5.101/24
Internal IP: 10.0.0.101/16
interface Ethernet0/0
description 192.168.1.0/24 Network Outside IP
nameif outside-1
security-level 0
ip address 192.168.1.1 255.255.255.0
interface Ethernet0/1
description 192.168.5.0/24 Network Outside IP
nameif outside-5
security-level 0
ip address 192.168.5.1 255.255.255.0
interface Ethernet0/2
description inside 10.0.0.0/16
nameif inside
security-level 100
ip address 10.0.0.1 255.255.0.0
object network serverA_o
host 192.168.1.100
object network serverA_i
host 10.0.0.100
object network serverB_o
host 192.168.5.101
object network serverB_i
host 10.0.0.101
object network 192-168-1-NAT-POOL
range 192.168.1.50 192.168.1.239
nat (inside,outside-1) source static serverA_i serverA_o
nat (inside,outside-5) source static serverB_i serverB_o
nat (inside,outside-1) source dynamic any 192-168-1-NAT-POOL interface
object network serverA_i
nat (inside,outside-1) static serverA_o
object network serverB_i
nat (inside,outside-5) static serverB_o
route outside-1 0.0.0.0 0.0.0.0 192.168.1.1 1
route outside-5 0.0.0.0 0.0.0.0 192.168.5.1 2
When I set this up my serverB shows a Public IP of something in the 192-168-1-NAT-POOL Not 192.168.5.101
Any Suggestions?
Thanks!Not sure why I have Multiple Entries. )-: I did think it was Odd. I think it might be because I looking at examples of the new and old styles of NAT.
We have a Single ISP, though have 2 separate non-Contiguous Class C Addresses from them. We host some Servers on one subnet and some on the other.
I'm looking for a way to use both Subnets on the same ASA.
The Connection to the net looks like this:
Internet -> Edge Router Layer3 VLAN Switch
GE0/1.2 - 192.168.1.1 VLAN Tagged --> GE0 - VLAN Tagged
GE0/1.2 - 192.168.5.1 VLAN Tagged -^
Layer3 VLAN Switch Firewall
GE1 192.168.1.0/24 Untagged -> ASA Outside-1
GE2 192.168.5.0/24 Untagged -> ASA Outside-5
Firewall
ASA inside 10.0.0.0/16 -> Switch -> 10.0.0.100
Hope that helps clarify.
I could try to post some sanitized Configs of my PIX and ASA if needed. But the end result I'm trying to do is have the ASA do NAT for multiple Public Subnets. -
Need help setting up static NAT to internal server
One of my internal servers requires it to be available to the internet I am having a hard time allowing it to be NATed through my Ciscc 2801 router. It seems as though im missing something small. From what I can gather it seems as though its as issue with ACL, but im not sure. I have ran the following command: ip nat inside source static tcp 192.168.5.1 ***WAN IP Address*** 8443 extendable Then I tried to add it to the ACL
via this command: access-list 150 permit tcp any host ***WAN IP Address*** eq 8443
Here is a copy of my config. Please advise. Thanks.
IP 172.19.3.x
sub 255.255.255.128
GW 172.19.3.129
Ciscso 2801 Router
Current configuration : 11858 bytes
version 12.4
service timestamps debug datetime localtime
service timestamps log datetime localtime show-timezone
service password-encryption
hostname router-2801
boot-start-marker
boot-end-marker
logging message-counter syslog
logging buffered 4096
aaa new-model
aaa authentication login userauthen group radius local
aaa authorization network groupauthor local
aaa session-id common
clock timezone est -5
clock summer-time zone recurring last Sun Mar 2:00 1 Sun Nov 2:00
dot11 syslog
ip source-route
ip dhcp excluded-address 172.19.3.129 172.19.3.149
ip dhcp excluded-address 172.19.10.1 172.19.10.253
ip dhcp excluded-address 172.19.3.140
ip dhcp ping timeout 900
ip dhcp pool DHCP
network 172.19.3.128 255.255.255.128
default-router 172.19.3.129
domain-name domain.local
netbios-name-server 172.19.3.7
option 66 ascii 172.19.3.225
dns-server 172.19.3.140 208.67.220.220 208.67.222.222
ip dhcp pool VoiceDHCP
network 172.19.10.0 255.255.255.0
default-router 172.19.10.1
dns-server 208.67.220.220 8.8.8.8
option 66 ascii 172.19.10.2
lease 2
ip cef
ip inspect name SDM_LOW cuseeme
ip inspect name SDM_LOW dns
ip inspect name SDM_LOW ftp
ip inspect name SDM_LOW h323
ip inspect name SDM_LOW https
ip inspect name SDM_LOW icmp
ip inspect name SDM_LOW imap
ip inspect name SDM_LOW pop3
ip inspect name SDM_LOW netshow
ip inspect name SDM_LOW rcmd
ip inspect name SDM_LOW realaudio
ip inspect name SDM_LOW rtsp
ip inspect name SDM_LOW esmtp
ip inspect name SDM_LOW sqlnet
ip inspect name SDM_LOW streamworks
ip inspect name SDM_LOW tftp
ip inspect name SDM_LOW tcp
ip inspect name SDM_LOW udp
ip inspect name SDM_LOW vdolive
no ip domain lookup
ip domain name domain.local
multilink bundle-name authenticated
key chain key1
key 1
key-string 7 06040033484B1B484557
crypto pki trustpoint TP-self-signed-3448656681
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-3448bb6681
revocation-check none
rsakeypair TP-self-signed-344bbb56681
crypto pki certificate chain TP-self-signed-3448656681
certificate self-signed 01
3082024F
quit
username admin privilege 15 password 7 F55
archive
log config
hidekeys
crypto isakmp policy 10
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key XXXXX address 209.118.0.1
crypto isakmp key xxxxx address SITE B Public IP
crypto isakmp keepalive 40 5
crypto isakmp nat keepalive 20
crypto isakmp client configuration group IISVPN
key 1nsur3m3
dns 172.19.3.140
wins 172.19.3.140
domain domain.local
pool VPN_Pool
acl 198
crypto isakmp profile IISVPNClient
description VPN clients profile
match identity group IISVPN
client authentication list userauthen
isakmp authorization list groupauthor
client configuration address respond
crypto ipsec transform-set myset esp-3des esp-md5-hmac
crypto dynamic-map Dynamic 5
set transform-set myset
set isakmp-profile IISVPNClient
qos pre-classify
crypto map VPN 10 ipsec-isakmp
set peer 209.118.0.1
set peer SITE B Public IP
set transform-set myset
match address 101
qos pre-classify
crypto map VPN 65535 ipsec-isakmp dynamic Dynamic
track 123 ip sla 1 reachability
delay down 15 up 10
class-map match-any VoiceTraffic
match protocol rtp audio
match protocol h323
match protocol rtcp
match access-group name VOIP
match protocol sip
class-map match-any RDP
match access-group 199
policy-map QOS
class VoiceTraffic
bandwidth 512
class RDP
bandwidth 768
policy-map MainQOS
class class-default
shape average 1500000
service-policy QOS
interface FastEthernet0/0
description $ETH-LAN$$ETH-SW-LAUNCH$$INTF-INFO-FE 0$$FW_INSIDE$
ip address 172.19.3.129 255.255.255.128
ip access-group 100 in
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
duplex auto
speed auto
interface FastEthernet0/0.10
description $ETH-VoiceVLAN$$
encapsulation dot1Q 10
ip address 172.19.10.1 255.255.255.0
ip inspect SDM_LOW in
ip nat inside
ip virtual-reassembly
interface FastEthernet0/1
description "Comcast"
ip address PUB IP 255.255.255.248
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
duplex auto
speed auto
crypto map VPN
interface Serial0/1/0
description "Verizon LEC Circuit ID: w0w13908 Site ID: U276420-1"
bandwidth 1536
no ip address
encapsulation frame-relay IETF
frame-relay lmi-type ansi
interface Serial0/1/0.1 point-to-point
bandwidth 1536
ip address 152.000.000.18 255.255.255.252
ip access-group 102 in
ip verify unicast reverse-path
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
frame-relay interface-dlci 500 IETF
crypto map VPN
service-policy output MainQOS
interface Serial0/2/0
description "PAETEC 46.HCGS.788446.CV (Verizon ID) / 46.HCGS.3 (PAETEC ID)"
ip address 123.252.123.102 255.255.255.252
ip access-group 102 in
ip inspect SDM_LOW out
ip nat outside
ip virtual-reassembly
encapsulation ppp
crypto map VPN
service-policy output MainQOS
ip local pool VPN_Pool 172.20.3.130 172.20.3.254
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 50.00.000.110 track 123
ip route 0.0.0.0 0.0.0.0 111.252.237.000 254
ip route 122.112.197.20 255.255.255.255 209.252.237.101
ip route 208.67.220.220 255.255.255.255 50.78.233.110
no ip http server
no ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip flow-top-talkers
top 20
sort-by bytes
ip nat inside source route-map COMCAST interface FastEthernet0/1 overload
ip nat inside source route-map PAETEC interface Serial0/2/0 overload
ip nat inside source route-map VERIZON interface Serial0/1/0.1 overload
ip nat inside source static tcp 172.19.3.140 21 PUB IP 21 extendable
ip access-list extended VOIP
permit ip 172.20.3.0 0.0.0.127 host 172.19.3.190
permit ip host 172.19.3.190 172.20.3.0 0.0.0.127
ip radius source-interface FastEthernet0/0
ip sla 1
icmp-echo 000.67.220.220 source-interface FastEthernet0/1
timeout 10000
frequency 15
ip sla schedule 1 life forever start-time now
access-list 23 permit 172.19.3.0 0.0.0.127
access-list 23 permit 172.19.3.128 0.0.0.127
access-list 23 permit 173.189.251.192 0.0.0.63
access-list 23 permit 107.0.197.0 0.0.0.63
access-list 23 permit 173.163.157.32 0.0.0.15
access-list 23 permit 72.55.33.0 0.0.0.255
access-list 23 permit 172.19.5.0 0.0.0.63
access-list 100 remark "Outgoing Traffic"
access-list 100 deny ip 67.128.87.156 0.0.0.3 any
access-list 100 deny ip host 255.255.255.255 any
access-list 100 deny ip 127.0.0.0 0.255.255.255 any
access-list 100 permit tcp host 172.19.3.190 any eq smtp
access-list 100 permit tcp host 172.19.3.137 any eq smtp
access-list 100 permit tcp any host 66.251.35.131 eq smtp
access-list 100 permit tcp any host 173.201.193.101 eq smtp
access-list 100 permit ip any any
access-list 100 permit tcp any any eq ftp
access-list 101 remark "Interesting VPN Traffic"
access-list 101 permit ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 101 permit ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 101 permit tcp any any eq ftp
access-list 101 permit tcp any any eq ftp-data
access-list 102 remark "Inbound Access"
access-list 102 permit udp any host 152.179.53.18 eq non500-isakmp
access-list 102 permit udp any host 152.179.53.18 eq isakmp
access-list 102 permit esp any host 152.179.53.18
access-list 102 permit ahp any host 152.179.53.18
access-list 102 permit udp any host 209.000.000.102 eq non500-isakmp
access-list 102 permit udp any host 209.000.000.102 eq isakmp
access-list 102 permit esp any host 209.000.000.102
access-list 102 permit ahp any host 209.000.000.102
access-list 102 permit udp any host PUB IP eq non500-isakmp
access-list 102 permit udp any host PUB IP eq isakmp
access-list 102 permit esp any host PUB IP
access-list 102 permit ahp any host PUB IP
access-list 102 permit ip 72.55.33.0 0.0.0.255 any
access-list 102 permit ip 107.0.197.0 0.0.0.63 any
access-list 102 deny ip 172.19.3.128 0.0.0.127 any
access-list 102 permit icmp any any echo-reply
access-list 102 permit icmp any any time-exceeded
access-list 102 permit icmp any any unreachable
access-list 102 permit icmp any any
access-list 102 deny ip any any log
access-list 102 permit tcp any host 172.19.3.140 eq ftp
access-list 102 permit tcp any host 172.19.3.140 eq ftp-data established
access-list 102 permit udp any host SITE B Public IP eq non500-isakmp
access-list 102 permit udp any host SITE B Public IP eq isakmp
access-list 102 permit esp any host SITE B Public IP
access-list 102 permit ahp any host SITE B Public IP
access-list 102 permit tcp any host public ip eq 8443
access-list 110 remark "Outbound NAT Rule"
access-list 110 remark "Deny VPN Traffic NAT"
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.19.10.0 0.0.0.255
access-list 110 deny ip 172.19.10.0 0.0.0.255 172.19.3.128 0.0.0.127
access-list 110 deny ip 172.20.3.128 0.0.0.127 172.19.3.0 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.11
access-list 110 deny ip 172.19.3.128 0.0.0.127 host 172.19.250.10
access-list 110 permit ip 172.19.3.128 0.0.0.127 any
access-list 110 permit ip 172.19.10.0 0.0.0.255 any
access-list 198 remark "Networks for IISVPN Client"
access-list 198 permit ip 172.19.3.0 0.0.0.127 172.20.3.128 0.0.0.127
access-list 198 permit ip 172.19.3.128 0.0.0.127 172.20.3.128 0.0.0.127
access-list 199 permit tcp any any eq 3389
route-map PAETEC permit 10
match ip address 110
match interface Serial0/2/0
route-map COMCAST permit 10
match ip address 110
match interface FastEthernet0/1
route-map VERIZON permit 10
match ip address 110
match interface Serial0/1/0.1
snmp-server community 123 RO
radius-server host 172.19.3.7 auth-port 1645 acct-port 1646 key 7 000000000000000
control-plane
line con 0
line aux 0
line vty 0 4
access-class 23 in
privilege level 15
transport input telnet ssh
line vty 5 15
access-class 23 in
privilege level 15
transport input telnet ssh
scheduler allocate 20000 1000
ntp server 128.118.25.3
ntp server 217.150.242.8
endIf you are planning to use the fa0/1 interface IP itself then the configuration would be:
ip nat inside source static tcp 172.19.3.133 8443 interface fa0/1 8443 extendable
Assuming that you would like to port forward TCP/8443.
Then the ACL should be written:
ip access-list extended 102
2 permit tcp any host eq 8443
Maybe you are looking for
-
If I use AOL's browser, I can print Web pages. But not from Firefox. Could be this problem began with upgrade to your 4.0.1.
-
Odd subversion client behavior - has anyone seen this?
We are using DW CS4 with the subversion client for version control. One of our developers, working on a mac with OS X v 10.5.6, sees odd behavior when using 'Put' to send a file from his local copy to either a testing server or the remote site. What
-
Network 0.0.0.0 in IPS alerts
Good afternoon: I have a Cisco IPS 4240 sensor. This appliance is generating alerts with the network 0.0.0.0 as attacker and victim. Example: Severity informational Application Name sensorApp Event Time 02/20/2009 12:26:19 Sensor Local Time 01/20/200
-
Hi All, I need to check for certain data changes before saving a business partner using transaction BP in CRM. If there are any unwanted changes I need to throw an error and should not allow to change the business partner using transaction BP. For th
-
Does photoshop have a healing brush tool like lightroom v5 ?
Hi i have photoshop cs6 , and i was watching a video about the new lightroom features it was amazing how in this video lightroom v5 brush tool work does cs6 have such feature ? or is included in cc only? at minute 9:06 there is an amazing review abou